What are people's experiences with Memcached

DDoS protection and cybersecurity

DDoS protection and cybersecurity

DoS stands for Denial of Service, the increase form of it is DDoS - the additional D stands for Distributed Denial of Service. This is a common type of attack on the Internet. With this security incident, countless requests / inquiries are sent to this service (YouTube, GitHub, Twitter, etc.) in a very short time. Ultimately, this leads to excessive demands and the corresponding page is then no longer available to the user. This can mean considerable financial damage for the operator of the Internet service. Attackers can blackmail the operators for protection money. Find out more details about the topic and about DDoS protection here.

DDoS attack without appropriate DDoS protection

DDoS attacks have an ever greater impact. They overwhelm services with ever larger amounts of data. Good DDoS protection requires DDoS protection tools to disperse this amount of data. At the same time, more and more attacks are recorded in which only specific areas of the IT infrastructure are attacked and disrupted. These attacks are less noticeable. The smaller the application or service, the less data is needed for the attack. On the other hand, DDoS attacks are no longer just used to refuse service, but are increasingly used as a cover to camouflage other cyber attacks. These include, for example, data breaches and financial fraud. Organizations should use a DDoS monitoring tool that detects all potential DDoS attacks and blocks them as soon as they occur. This gives you a comprehensive overview of your networks.

Botnets play a crucial role

In most cases, DDoS attacks use botnets. Attackers hijack third-party computers in advance. This is usually done by malware such as Trojans or worms. The external computers are then put together in a network by the C&C server (Command & Control Server), the attacker remotely controlled. In the case of DDoS, the bandwidths of the victim systems are exploited. This means that identical requests are made to the victims' servers at the same time. DDoS protection prevents such an attack.

Memcached server: Cyber ​​attacks are also possible without botnets

The hijacking of third-party computers or IoT devices can sometimes be very tedious for the attacker. For this reason, botnets are not used in some attacks, such as the attack on Github 2018. Here, the use of Memcached servers was exploited. These database caching services serve the purpose of making networks and websites faster. Access to these servers from the Internet is possible without authentication, you just need to get hold of the IP address. Then the attackers send small queries to multiple Memcached servers at the same time - about 10 per second per server. These Memcached servers are then designed to produce a much larger response. They then return 50 times the requested data back to the victim system. In this way, data requests of several terabytes per second can be generated - these easily lead to the collapse of a service. DDoS protection also effectively prevents this type of cyber attack.

DDoS protection prevents attacks via DNS reflection

DDoS cyber attacks via DNS reflection techniques are also used. The attacker makes the DNS request using the IP address of the victim (IP spoofing) and is thus successful. The DNS server sends the request to the victim. This is where the amplification comes into play, i.e. the amplification in the next step.

"UDP packets with DNS queries are typically relatively small (<100 bytes). Response packets are significantly larger (<500 bytes), depending on the requested entry A comparatively small bandwidth can achieve a significant increase in the attack load on the victim's side, and the attack is thus intensified (amplification). "
Federal Office for Security in Information Technology

DDoS protection: DDoS protection tools

Our DDoS protection tools and measures prevent DDoS attacks.

This includes web application firewalls (WAF for short), which protect online services on the application layer. In general, these ensure that:

  • Incoming connections are only permitted by services that are also allowed to access them. For this, there are the approaches of blacklists (listing of prohibited connections) or whitelists (listing of allowed connections).
  • The same then applies to outgoing connections - these are only possible with explicit permission. In this way, botnets can be paralyzed, for example, because they can then no longer come into contact with the attacker's Command & Control server.

Amplicification attacks via Memcached servers:

  • Remove exposed Memcached servers from the Internet and implement them securely behind firewalls in internal networks.
  • Filters in WAFs that block Memcached traffic when a suspicious amount of requests is detected.
  • If network operators can determine the attack command used, the malicious data traffic can be nipped in the bud by blocking all memcached packets of this length.

Reflection attacks via network time protocol:

  • This is where the web application firewall and a correspondingly existing network infrastructure consisting of several data centers help.
  • Even if a single IP address is the target here, the flood of data can be distributed with a corresponding feature in the firewall. The incoming load is distributed to different data centers. The attacked service is still available.